On 30 March 2015 at 12:26, Ilari Liusvaara <ilari.liusvaara@elisanet.fi> wrote: > On Mon, Mar 30, 2015 at 10:10:20AM -0700, Roy T. Fielding wrote: >> Why is the origin on the client still http://bank.com/ when it is >> deliberately making requests to https://bank.com:443/ ? > > Because ALT-SVC does not change origin, only transport. That was my answer to the concern: don't tie your authentication to the transport, tie it to the origin. That is, if you are requesting resources for a given origin, then make sure that you have everything you need for that origin, including server authentication, confidentiality and integrity if it is https://. Finally, don't send cookies, authentication or other stuff to origins that don't deserve them, regardless of what is actually being used to send packets.Received on Monday, 30 March 2015 17:48:48 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 17:14:43 UTC